Sravya Tirukkovalur commented on SENTRY-951:

Thought it might be useful to summarize the issue reported here, expected 
semantics and recommendation. 

HDFS Sentry sync semantics:
Sentry manages the paths which are Hive objects and are specified in the 
prefix.paths. When it is Sentry managed, the path would have 771 + hive:hive 

Hive semantics when default warehouse is updated:
When default warehouse is changed, say to "/data"
- default db location still remains at /user/hive/warehouse
- Tables created before the move still remain at /user/hive/warehouse/oldTable
- New tables created in default db after the change will live in the new 
location "/data/newtable"

Sentry HDFS Sync semantics of new warehouse dir given the above hive semantics:
As there is no hive object at /data it will not be sentry managed even after 
/data is added to prefix.paths 

So it is important to make sure the permissions of /data are such that "hive" 
super group has all access and it's children are reachable for other users who 
might have acls on children. So the recommendation is to do following on new 
warehouse dir.
hdfs dfs -chown hive:hive /data
hdfs dfs -chmod 771 /data

[~anneyu] [~hahao] Can you cross verify the content here? 

> move hive warehouse dir to /hive, the dir doesn't have hive:hive as owner.
> --------------------------------------------------------------------------
>                 Key: SENTRY-951
>                 URL: https://issues.apache.org/jira/browse/SENTRY-951
>             Project: Sentry
>          Issue Type: Bug
>            Reporter: Anne Yu
>            Assignee: Anne Yu
>             Fix For: 1.8.0
>         Attachments: SENTRY-951.0.test.patch
> {noformat}
> sudo -u hdfs hdfs dfs -mkdir -p /another
> sudo -u hdfs hdfs dfs -getfacl /another
> hfds:supergroup
> {noformat}
> put /another into hive.metastore.warehouse.dir;
> add /another into hdfs sentry syncup prefix;
> restart hive, sentry, hdfs
> {code}
> [root@anneyu-538-1 ~]# sudo -u hdfs hdfs dfs -getfacl /another
> # file: /another
> # owner: hdfs
> # group: supergroup
> user::rwx
> group::r-x
> other::r-x
> {code}
> If create table will get the below errors:
> {code}
> 0: jdbc:hive2://anneyu-538-4.vpc.cloudera.com> create table test7(s string);
> Error: Error while processing statement: FAILED: Execution Error, return code 
> 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Got 
> exception: org.apache.hadoop.security.AccessControlException Permission 
> denied: user=hive, access=WRITE, inode="/another":hdfs:supergroup:drwxr-xr-x
> {code}

This message was sent by Atlassian JIRA

Reply via email to